[openssl-users] Forcing the FIPS module to fail (no way)

Alberto Roman Linacero aroman at alienvault.com
Wed Sep 2 18:35:34 UTC 2015


Yep, I understand now. I thought that the whole binary file
application was signed, and not only the FIPS module part.

I already did some tests (with that string and also in different parts
of the code that belongs to the fipscanister.o), and it -correctly-
fails.

server:~# export OPENSSL_FIPS=1
server:~# openssl sha1 testfile
139697803871912:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not
match:fips.c:232:

Thanks a lot!!





2015-09-02 20:16 GMT+02:00 Dr. Stephen Henson <steve at openssl.org>:
> On Tue, Sep 01, 2015, Alberto Roman Linacero wrote:
>
>> So, it is possible in runtime to know if the FIPS module code has been
>> changed after compiling? I mean, after the openssl has been compiled
>> with the FIPS Object Module (./config fips & make & make install), the
>> 4 files in the FIPS Object Module (fipscanister* and so on) doesn't
>> need to be in the final system to let work the application (openssl
>> for instance).
>>
>> Is there any way to know, at runtime, that the FIPS Object Module code
>> has not been changed?
>>
>
> Yes the integrity test will fail.
>
> Just to clarify. When you link the FIPS module part of the code will
> correspond to the application (which may be OpenSSL itself or the
> OpenSSL shared library) and part of it will be the FIPS module code from
> fipscanister.o. If you change the part of the binary corresponding to
> fipscanister.o the integrity test will fail, if you change the part of the
> binary outside fipscanister.o it wont.
>
> For example there is a version string which says something like "FIPS 2.0.10
> validated module 14 May 2015", try changing that.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
Alberto Román

Engineering team
http://www.alienvault.com

Mobile:  +34 605804179
Phone: + 91 5151344
Email: aroman at alienvault.com


More information about the openssl-users mailing list